ManageEngine Browser Security Plus is a point solution that makes it easy for you to manage and audit web browser use in your organization centrally.

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

As a working Windows systems administrator, you know that Group Policy in Active Directory Domain Services (AD DS) gives you a degree of centralized control over Microsoft's own web browsers, Edge and Internet Explorer.

However, nowadays in today's Bring Your Own Device (BYOD) and Corporate Owned, Personally Enabled (COPE) IT landscape, your users likely prefer non-Microsoft browsers such as Google Chrome or Mozilla Firefox.

How can you enforce your organizational security policies, given this cross-vendor web browser context? ManageEngine developed a point solution called Browser Security Plus that addresses just this use case. Let's take a look.

Browser Security Plus in a nutshell ^

Browser Security Plus (BSP) is a software-as-a-service (SaaS) application that consists of the following components:

  • Server services (the server itself, a notification service, and an Apache web server service)
  • A web-based management interface
  • An .msi agent

Although the Browser Security Plus server includes open-source components, this solution is aimed at Windows-based servers and endpoints. Moreover, the supported browser list noticeably does not include Apple Safari:

  • Microsoft Edge
  • Microsoft Internet Explorer
  • Google Chrome
  • Mozilla Firefox

The BSP core feature set incorporates the following four value propositions:

  • Detect: Gain visibility into which browsers your users use and which browser add-ons they have installed
  • Enforce: Deploy security configurations to mitigate phishing and malware attacks
  • Control: Regulate access to browser add-ons and browser-based apps
  • Audit: Report on browser usage and policy compliance

Installation and configuration ^

Per the Browser Security Plus documentation, you install the server on a Windows Server or even a Windows Client device that meets reasonably low system requirements. As I said, all server management occurs via a central web application that listens on TCP port 9393 for HTTPS and TCP port 9030 for HTTP, by default.

The default login is a disappointing admin/admin combination; of course you will want to perform a number of post-installation tasks right away:

  • Change the admin account password
  • Install your own private or public SSL/TLS certificate to protect the management site
  • Configure proxy and/or mail server IP addresses as appropriate

The following screenshot shows the BSP Admin global settings page:

Configuring admin settings in BSP

Configuring admin settings in BSP

After you configure the BSP server itself, it's time to deploy the agent to your Windows-based endpoints. Navigate to Agent > Active Directory and add your AD domain to the tool by specifying domain administrative credentials.

You now can add computers and deploy the agent directly from the Scope of Management page, shown in the next screenshot.

Deploying the BSP agent to domain or workgroup joined devices

Deploying the BSP agent to domain or workgroup joined devices

You will also want to navigate to Manage > Groups & Computers and assign computers with similar browser requirements into one or more groups.

Defining our first browser management policy ^

Oh boy—where to begin? There are so many management options to choose from in this tool. First, from the Manage page, check out:

  • Sites Group: Create groups of website URLs you want to add to your policies as one unit
  • Extension Repository: Pre-populate browser extensions either required for your users to have or make them available to them optionally
Adding an authorized browser extension to BSP

Adding an authorized browser extension to BSP

Now head over to the Policies page in the BSP web management portal. Here are the general policy categories:

  • Threat Prevention: Allow or restrict file downloads, enable a phishing filter, or require strict digital certificate revocation checking
  • Data Leakage Prevention: Apply digital rights management (DRM) policies, such as restricting the user's ability to screenshot the browser, print a webpage, and so forth
  • Add-on Management: Control which browser extensions users can and cannot install (shown in the next screenshot)
  • Web Isolation: Block data persistence between browsing sessions and restrict iFrame behavior
  • Browser Lockdown: Convert the browser to kiosk mode when accessing certain URLs
  • Browser Router: Manage inter-browser compatibility issues by redirecting traffic to particular browser(s)
  • Java Manager: Control access to the Java Runtime Environment on users' computers
  • Browser Customization: Configure content restrictions, URL access rules, and default home page; control browser startup behavior
Configuring a BSP browser security policy

Configuring a BSP browser security policy

The client experience ^

By default, the user is unable either to modify the BSP agent properties or install the agent. I show you this in the next screenshot.

BSP agent controls are out of the user's reach

BSP agent controls are out of the user's reach

From there, the product simply works. For example, in my lab environment I created a strict Add-on Management policy in which users cannot install their own Chrome extensions, and instead can only install extensions on my whitelist.

As you can see in the following screenshot, the product prevents the user from undertaking a restricted action.

A BSP block displayed to the end user

A BSP block displayed to the end user

Two criticisms I have of the BSP end-user experience are:

  • I sometimes needed to reassociate a policy manually to a management group or to individual managed computers to get the policy to "take" on the endpoint
  • The block messages are not particularly descriptive or user-friendly

Reporting on browser usage and security policy ^

BSP includes a number of dashboards and built-in reports on its Insights page to help you gain insight on your user base, their browsing habits, and their endpoint compliance. Some of the built-in reports include:

  • Unsecure (unsigned) plug-ins
  • Phishing filter compliance status
  • Outdated plug-ins
  • Potentially harmful extensions
  • Computers with or without a specific extension
  • Computers with or without a specific plug-in

I show you the Browsers dashboard in my lab environment next:

A built in BSP dashboard

A built in BSP dashboard

The web interface allows you to view your report data as a table, customize visible columns, and export your reports as PDF, CSV, or Excel documents.

The Compliance page lets you define the browser policy settings you need to track for compliance purposes and then report on your endpoints' current status.

Wrap-up ^

ManageEngine requires you ask them for a quote to determine their specific license prices, but I can tell you they license Browser Security Plus in two models:

  • Annual subscription: Fixed cost per year that includes product support
  • Perpetual model: One-time license fee with annual maintenance costs

In summary, I think BSP does a decent job at managing a multi-browser environment in a way that does not require a lot of additional hardware or software. On the other hand, I tend to dislike so-called "point solutions" and instead prefer more all-encompassing central management products.

If you do struggle with supporting multiple users with multiple browsers, and balance user convenience on one hand against regulatory/policy compliance on the other, you may want to take a closer look at ManageEngine Browser Security Plus.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

0
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account